[conandrum]

Hi, this is my first post to this forum.
Today I installed a 3rd party firewall (COMODO Internet Security) on my laptop and HTPC, that coexists with the VISTA firewall on both.
Both machines have Vista SP2. Both are behaving perfectly.
After the first reboot on the HTPC, I noticed 203 intrusion detections. Further inspection showed a remote IP address 72.27.8.199:1051 hammering my port 56420 every 2 seconds. Seven other remote machines tried the same thing within the same 203 attempts but with ports above 51000 and only once each (e.g. 83.227.24.134:59791).
I was alarmed and searched for my 56420 port, which led me to SVCHOST and a PID. Using PROCESS EXPLORER (I guess you could use task manager) I found out that several services could be using this port, so I started disabling each one, until the port was no longer available in PORT EXPLORER (i guess you could use netstat -ano). This led me to discover that port 56420 was used by BFE or "Base Filtering Engine" (and not to its dependents).

1. Was 72.27.8.199:1051 probing/attacking me?
2. Was 83.227.24.134:59791 probing/attacking me or is there something else going on with this one?

Anyway the intrusion counter soon stopped and I then installed the same firewall on my laptop.
To my amazement intrusion alerts started poping up and their source was my HTPC with port 56420!
The logger showed: HTPC:56420 -> LAPTOP:57312 and also MYPUBLICIP:56420 -> LAPTOP:57312
Running my usual tests on port 57312 on the laptop I soon discovered that this port corresponded to BFE or "Base Filtering Engine" (and not to its dependents).

DEJAVU? What is going on here? Why is this happening? The HTPC and laptop BFEs like talking once every time I reboot!

3. Can someone please explain to me why the "Base Filtering Engine" on each of my LAN machines feels the need to communicate and make small-talk?
4. And can someone please explain to me why the "Base Filtering Engine" on my HTPC feels the need to communicate and make small-talk long distance (could this be what it was doing with those 7 remote IPs)?
5 And what does my MYPUBLICIP:56420 have to do with everything?

Anyway I am confused.
Any ideas please?

[Elvandil]

The BFE was probably not communicating with the sites in Jamaica and Scandinavia. That the same port was used is not definitive for communication. In any case, you should allow the BFE full access.

Why you received communication from those sites is also almost impossible to tell. It could be most anything, from researchers measuring internet parameters, to port scanners, to malware infections on your machine, to programs you have installed checking for updates. It is normal for there to be innumerable connection attempts at all times, most harmless.

But because some few are not harmless, we have firewalls. Let the firewall do its job and don't overthink it.

You might try Current Ports to monitor all your connections.

[conandrum]

What you say is fair enough.
Let's then suppose that all external IP addresses were probing/attacking/whatever... In that case, why does the firewall specify data transfers between my PC and the remote PC that amounts to many megabytes? Is it normal to have (UDP IN with destination 56420) 1.6MB, 2.1MB, 2.5MB, 5.2MB in the Bytes Out column? Why so much data given to these IPs? I received only some KBs!



Also, why does my HTPC BFE want to communicate with my laptop BFE? What are they talking about? )

There is simply not much info on the net about BFE and certainly nothing describing this kind of strange behaviour.

By the way at least Kaspersky, Comodo, Spybot and Malware Bytes say I have no malware on my machine.

[Elvandil]

I'm not convinced that it is BFE that is doing the communicating, but the fact that there is so much data being transferred is certainly a cause for some alarm and further investigation.

You might try a "packet sniffer" and other filtering tools to try to determine exactly what the contents of that transfer are.

[conandrum]

Thanks for the suggestions I will try.